On Sun, Aug 13, 2006 at 12:13:13PM +0200, Jonas Smedegaard wrote: > On Sun, 13 Aug 2006 11:26:02 +0200 maximilian attems wrote: <snipp> > > please specify the info: > > i'm not 100% familiar with yaird code, so i'd be happy to know which > > only root readable part might get exposed? > > I don't know which files the local admin chooses to hide from its local > users.
well that is easily done by setting /boot 0700 or even tighter with selinux permissions. > Backup routines ought to make sure to use equal or tighter access > rights than the originals copied. Same goes for ramdisk builders, IMHO. well targetting Debian default, this is handwaving until a special file is named. in the case of loop-aes i understand that the gpg key is a problem, but in general you didn't provide a backup for a leak claim: a) /lib/modules is readable by anybody b) same goes with /boot/config that yaird uses c) /proc/cmdline, /proc/mount gives lots of info so please be specific about the leakage. it is certainly against Debian standard permission setup. i may declare it needlessly paranoid. > > hmm indeed netboot should be supported out of the box, > > that is an counterarg. > > Copying info as root and then exposing it to the whole (local) network > is certainly the special case, not a counter argument of maintaining > security in general! which security? - again handwaving, please pinpoint an actual case in a Debian default setup. thanks + regards. -- maks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
